Duplicate forward rules and returning packets drop issues.

ksuuk · August 19, 2023, 8:26am

Hi,

I’m using very simple, almost default firewall rules:

add action=accept chain=input comment="input: accept established,related,untracked" connection-state=established,related,untracked in-interface=bridge
add action=drop chain=input comment="input: invalids drop" connection-state=invalid in-interface=bridge log-prefix="drop invalid"
add action=drop chain=input comment="input: wan drop" in-interface=wan
add action=fasttrack-connection chain=forward comment="forward: fasttrack established,related" connection-state=established,related in-interface=bridge
add action=accept chain=forward comment="forward: accept established,related,untracked" connection-state=established,related,untracked in-interface=bridge
add action=drop chain=forward comment="forward: drop invalids" connection-state=invalid in-interface=bridge log-prefix="drop invalid"
add action=drop chain=forward comment="forward: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=wan

Questions/problems:

Why are two forward rules needed? When I enable “untracked” option in fasttrack rule and disable second forward rule everything works fine:

add action=fasttrack-connection chain=forward comment="forward: fasttrack established,related,untracked" connection-state=established,related,untracked in-interface=bridge
add action=accept chain=forward comment="forward: accept established,related,untracked" connection-state=established,related,untracked disabled=yes in-interface=bridge

So what problems can such a solution cause?

I wan’t to block all incoming traffic from wan, so I added rule:

add action=drop chain=input comment="input: wan drop" in-interface=wan

But turned out, that Mikrotk -s (ntp, cloud, dns) queries are failing, for example:

/system script> :put [ :resolve yahoo.com ]
failure: dns server failure

Seems returning packets are dropped. So I added two new rules at the end:

add action=accept chain=output comment="output: accept established,related" connection-state=established,related in-interface=bridge
add action=drop chain=output comment="output: invalids drop" connection-state=invalid in-interface=bridge log-prefix="drop invalid"

But this didn’t help. Finally enabled “not established,related” options in the wan drop rule, and it helped:

add action=drop chain=input comment="input: wan drop, !invalid,!established" connection-state=!established,related in-interface=wan

However, such logic seems strange. Why Mikrotik -s outgoing queries return packets are dropped by wan input chain and how to make such a logic/rule correctly?

pe1chl · August 19, 2023, 9:32am

Ok… so you have a default firewall. It works. Now you are deleting/changing things, and it does not work.
Maybe the “issue” is that the changes you make are affecting things?
Could it be solved by reading the documentation to understand what “fasttrack” and “established,related” means?

ksuuk · August 19, 2023, 3:54pm

Ok, the first forward/fasttrack rule marks the connection and then it hits the second forward rule, so let it be two rules.

But this has nothing to do with the second question, why lan > wan outgoing connections are working but localhost > wan connections are not working?

anav · August 19, 2023, 4:22pm

Things are not often in isolation…
Post full config less router serial number and any public WANIP information

/export file=anynameyouwish